JP3689368B2 - Method of loading an application into a multi-application embedded system with data processing resources, corresponding system and execution method - Google Patents

Description

[0001]
The present invention relates to a method for loading an application into a multi-application embedded system having data processing resources, a corresponding embedded system, and an application execution method for the corresponding embedded system.
[0002]
The present invention relates in particular to the implementation of separation between modules sharing the same memory space (PARE-FEU) in a system embedded in a multi-application portable object that uses intermediate pseudo code and associated virtual machines. .
[0003]
The “Java” ™ technology introduced by the company “Sun” is based on a programming language directed to “Java” objects and associated virtual machines. This technology was developed by a station or PC (personal computer) (hereinafter referred to as a “Java” platform) having a power CPU and a large memory in megabytes.
[0004]
For several years, the concept of “Java” technology has been reworked, for example, credit cards, SIM micromodules incorporating microprocessors (generally called chip cards), to work with systems embedded in portable objects, It has been adapted to the format of GSM (Global System for Mobile Communication) mobile phones, PCMCIA cards, or any other mobile terminal. Hereinafter, the expression “card” will be used to indicate any one of these portable objects. The programming of the embedded system that has been configured as an assembler until now will be possible in a high-level programming language such as “Java” in the future, and the development of the client application can be facilitated and accelerated.
[0005]
These new types of platforms (hereinafter referred to as special platforms) that are unique to portable object embedded systems are subassemblies of conventional platforms. Differences have been made by reducing the embedded system environment. In general, as shown in FIG. 4a, a chip card (10) includes an input / output system (11) connected to a microprocessor (14), a volatile RAM (Random Access Memory) (12), a ROM ( A nonvolatile memory (15) including a read only memory (13), and a flash RAM or an EEPROM (electrically erasable programmable only memory). A collection of these elements is connected to the microprocessor by connection BUS. For example, chip cards best include ROM, 32 kilobytes of EEPROM, and 2 kilobytes of RAM by using existing new components.
[0006]
In a conventional “Java” system, the application is written to a station or PC. The source code is compiled with intermediate pseudo code called “Java Byte Code” that is independent of the platform device code used. The application is then downloaded to the target platform or the traditional “Java” platform. The loaded application is composed of a set of classes in which various methods are compiled into pseudo code, that is, a so-called client class, and is supported by an application programming interface or an application programming interface API (Application Programming Interface). The application programming interface can homogenize the user interface and control an editor, keyboard, printer, or the like. A conventional platform virtual machine includes a pseudo code checker, a dynamic class loader, a pseudo code interpreter that enables translation into device code, and a safety management program.
[0007]
The main difference between a conventional virtual machine and a virtual machine of an embedded system (hereinafter referred to as a special virtual machine) is that the virtual machine of the embedded system is decomposed into two separate parts. According to FIG. 4b, the virtual machine includes a converter (32), a part (30) outside the special platform (40), called an off-platform ("off-platform") virtual machine, and a pseudo code interpreter. And a part (41) in the card constituting the special platform (40), called an embedded ("on-platform") virtual machine (41).
[0008]
Thus, in the case of a special platform, the application source program (21) is written and compiled as intermediate pseudo code by the compiler (22) and checked by the intermediate pseudo code checker (31) at the conventional station (20). Are converted by a converter (32) located in the same station (20) or another station. The application is then downloaded to the volatile programmable memory, possibly EEPROM (15) of the portable object or special platform (40), possibly after passing through the signing device (34). Such loading is performed by a loader that includes an off-platform part (33) called a downloader and a special platform part (42) called a loader. Unlike what exists on a traditional platform for the station, the virtual machine (41) of the special platform (40) placed in ROM with the Operating System (48) includes an intermediate pseudo code checker I can't. This is because the checker is too heavy to store and / or execute on the portable object. The special platform (40) also does not include a dynamic class loader. In fact, in the case of the application domain of the present invention, in the off-platform virtual machine (30), the checker (31) checks that the compiled classes are properly formed and there is a special language intrusion in the description of the special platform. Check if there is. The converter (32) does the work necessary to load the class and resolve the reference. The converter performs static linking of classes and resolves symbol references to classes, methods and attributes that already exist on the card. The converter allocates storage, creates a data structure to indicate the class, creates static or native methods and attributes, and initializes static variables.
[0009]
A special platform execution environment (Runtime Environment or RE) is an embedded virtual machine ("on-platform") (41) limited to an interpreter, an API platform, and so-called specific or static related methods (43). including. The API platform includes an API (44) that determines a set of classes (45) called system classes, and a calling convention (Call Convention) in which an application accesses an execution environment (RE) and a static method (43). The static method (43) executes a card input / output encryption memory allocation service.
[0010]
The interpreter of the virtual machine (on-platform) embedded in the card (41) plays a role of supporting the “Java” language, and sequentially reads the intermediate pseudo code for each instruction. Each standard instruction of such intermediate pseudo code is interpreted by the interpreter in the language of the microprocessor and then executed by the microprocessor. In general, standard instructions in intermediate pseudo code enable processing of high-level programming languages such as arithmetic processing and object manipulation. The concept of objects relates to information objects such as lists, data lists or the like. The so-called client class (46) of the application and the system class (45) of the API are all loaded into the same memory space and managed via the class table (47).
[0011]
The virtual machine (41) also enables secure sharing of data, also referred to as attributes, variables, or fields, by managing classes and objects to ensure compliance between applications.
[0012]
In the case of a chip card type portable object, the application of the special platform can be directly operated by the execution environment (RE) when a selection APDU (Application Protocol Data Unit) transmitted from the service or the terminal is received by the card.
[0013]
In order to restrict access to data between code parts that share the same memory space, one of the methods commonly used on conventional platforms is the visibility (VISIBILITE) declared in the source code. Based on clear restrictions. According to FIG. 4c, the method (NM1, NM2; NM3, NM4) and the attribute (NA1, NA2; NA3, NA4) are enclosed in classes (NCI3, NCI2), respectively. The class itself forms a part of a package (package 1; package n) in which a plurality of classes are collected. A class may be public, such as (NCI1 or NCI2), or private, such as (NCI3), for the package, in the latter case this is the same package Means that only this class can access this class. The method (eg NM2) and data (eg NA1) of the class (NCI3) can be private to the class (NM2, NA1), the class itself is private to the package (package 1), Alternatively, it is public for the package (eg NM1, NA2) or class (eg NM4, NA4). Such visibility restrictions allow for flexible access between different sets of packages (package 1, package n) stored in the same namespace. But there are some drawbacks. Traditional or special platforms cannot have the concept of subpackages. Large application client classes must be distributed among the various subpackages, which show different packages only for virtual machines. To share resources between these subpackages, the resource must be declared public so that any other package can view the resource. Therefore, it is difficult to unambiguously organize different application packages for large applications and obtain separation between applications.
[0014]
In the bureau, in the case of conventional platforms, adherence to resource confidentiality, as declared in the source program, is based on dynamic checks. To perform such a dynamic check, the virtual machine must have all the information regarding the declaration of access restrictions for each class, method or attribute. This cannot be used in the case of memory space available in an off-platform virtual machine intermediate pseudocode or an on-form virtual machine using pre-connected bytecode. In the case of a special platform for mobile objects, access restrictions can be checked statically at compile time and again by an off-platform checker. In fact, it is assumed that what is loaded on the special platform of portable objects is correct. This is because the special platform cannot perform any checks due to information loss during the conversion stage. Moreover, any security based on the use of a private package is compromised because it is not guaranteed that the package will not be extended or modified by new classes sent from external sources.
[0015]
The second means obtained by the virtual machine of the conventional platform is the concept of name space separation. In the traditional platform dynamic linking configuration, classes are either from a local file system directory called “ClassPath” that has been previously declared to constitute the area of system classes that form the standard API platform, or locally. It can be loaded from a file system or other directory on the remote server. The client class of an application outside the “classpath” must be loaded by a specially programmed class loader. This feature is particularly used for loading the application “Java” by the qualified browser “Java”. Thus, applications sent from various sources are loaded by different class loaders. A special class instance “application class loader” is used for each locator generally called a URL (Uniform Resource Locator). The name outside the class is a combination of “package name” + “class name”. When a class is loaded, it is stored in an internal class table and a reference to the class loader used to load this class is added to the class package name prefix. In this case, the class name is “reference to class loader” + “package name” + “class name”. Thus, virtual machines do not recognize classes that are declared as belonging to the same package but loaded by different class loaders as belonging to the same package.
[0016]
When resolving a reference, the usual way for a class loader is to first search by system class, and if it fails, search the class file in an area where the loader can load the class. According to this operating principle of the loader, an application cannot directly access the client class of another application loaded by a different class loader. An application can access any public resource in the public class of the classpath. However, although the class of the class path can be referred to the client class instance of the application by converting it as a public type defined by the “class path”, the class of the application cannot be directly accessed. An application cannot extend or modify a system class package in the classpath or any other application package loaded by a different class loader. In addition to the complete typification provided by the "Java" language, using namespace separation by inserting class loader references into class names provides effective separation between applications. The original separation mechanism for space names allows easy loading of new applications. Applications can exchange objects through classes specially programmed for this purpose and placed in the “classpath”. An application can use an object sent from another application loaded by a different class loader if this object can be changed to a public type as defined in the “classpath”.
[0017]
Unfortunately, such name separation mechanisms, based on traditional virtual machines and their dynamic linking processes, can only be performed on special platforms. Since special platform virtual machines are not able to perform dynamic linking, this requires memory space that allows the storage of traditional “Java” platform class files with unresolved references. In the special platform, the API system class and the application client class are not separated by individual namespaces.
[0018]
The object of the present invention is to propose a solution in which the configuration of static linking obtains the advantages of name separation in the range of embedded systems with two-part virtual machines that are executed off-platform. .
[0019]
In the situation of embedded systems such as payment terminals, multi-application terminals, etc., there is a high-performance separation between "Java" applications supplied from various sources such as various payment systems (visas, master cards ...) It is necessary. Therefore, it is effective to enable flexible cooperation between applications sent from various sources. Embedded systems must also be easily updated by downloading new applications or new utility modules or updates without interfering with already loaded applications.
[0020]
A first object of the present invention is to propose a loading method by firmly separating applications while allowing applications to cooperate with each other, developing applications, or allowing other applications to be loaded.
[0021]
The purpose of this is to create a virtual machine containing an intermediate pseudo-code type language interpreter from a station where application source code is written, compiled by a compiler as pseudo code, checked by a checker, converted by a converter, and loaded by a loader And an embedded system according to the present invention having an execution environment with an application programming interface (API).
The conversion includes a static linking implementation of a collection of multiple packages called modules, configured to be stored in the same namespace of the embedded system, assigning each module an identifier (MID), and included in the class of modules Assign a reference number to each class, each method, and each attribute
A method or attribute reference in the pseudocode linked to the module is encoded with 3 bytes consisting of an indicator that indicates the internal or external class reference of the module, the class number, and the method number or attribute number,
A module is one or more application programming modules (API modules) each containing a system class or service module corresponding to one application, and references to external classes are systematized by the virtual machine as references to application programming interface modules. It is characterized by interpretation.
[0022]
According to another feature, loading a module into an embedded system includes storing at least one display list of modules, associating a number with one module by a 0-n linker, and listing the module in the list. A table storing an index and an association of a display list index to an identifier (MID) of the module, the list and table comprising non-volatile programmable memory, and the external module in pseudo code The external reference is interpreted by the virtual machine interpreter as constituting an access index to a module that is equivalent to the index of the list of modules.
[0023]
According to another feature, the load includes storage of a display list for that class, including a reference to the index of the module for each module, and a display list of attributes and methods for each class.
[0024]
According to another feature, a module is referenced in a single module list, a system class is contained in a single API module, and any reference to an external class different from n in the pseudo code is said API module As a reference to
[0025]
According to another feature, a class is declared public or declared as a private package, attributes and methods are declared protected as a private package or class, and the class number order is public class Then, in the order of the private package class, the numbering of the attributes or methods is done by the converter in the order of the public attributes or methods protected as private packages and private classes.
[0026]
According to another feature, the system class is included in a plurality of API modules that can be loaded separately, the loader corresponds to two display lists of modules, one corresponding to the API module and the other corresponding to the non-API module. The two association tables MID / Imi are held in the nonvolatile programmable memory, and the loader loads the module into one of the two lists according to the property in the header of the special module. Any external reference is interpreted as an API module index reference.
[0027]
According to another feature, the static linking of the module is done so that references to non-API module external classes in the intermediate pseudo code are indices in the list of module headers, each input of which is referenced API module identifier (MID), the loading of the module on the target platform includes an alternative to the reference by the API module index number derived from the API module association table identifier (MID).
[0028]
Another feature of the present invention is to propose a corresponding embedded system.
[0029]
This object is achieved by an embedded system according to the present invention comprising a virtual machine, an API platform including an application programming interface, a non-volatile ROM, a non-volatile programmable or modifiable memory, and a RAM. The programmable memory includes at least one API module including a system class and a service module, at least one module display list indexing the module, and a table associating the module identifier of the display list with the module identifier. Each module includes a class display list in which each class is indexed and each class has a reference to that module's index. Contains a display list of attributes and methods indexed, where a method or attribute reference is encoded with at least 3 bytes corresponding to a module internal or external class reference, and the module external reference is an API module in the module list The class number corresponds to the class index in the module class display table, and the method or attribute number corresponds to the method or attribute index in the module class method or attribute display table. .
[0030]
According to another feature, a comparison means for comparing a first byte of 3 bytes encoding a reference to a method or an attribute with a predetermined value n to determine whether it relates to an inner class or an outer class. Including.
[0031]
According to another characteristic, it has a main module containing the main program of the system.
[0032]
According to another feature, classes are indexed in the order of public classes, then private package classes, attributes or methods are public attributes or methods, protected attributes or methods, private package attributes or methods, And indexed in order of private class.
[0033]
According to another feature, a non-volatile programmable memory comprises a plurality of API modules including a system class, two module display lists, one for API modules and the other for non-API modules, and a main module; Each includes two MID / IMi association tables corresponding to the module display list.
[0034]
According to another feature, the API module includes an access manager class “access manager” that includes a method capable of instantiating a service module via the main module, the class having one or more instances. Provide protection that prohibits things.
[0035]
Another object of the present invention is to propose a method for executing an application existing in a multi-application embedded system.
[0036]
This object is achieved by a method for executing an application of a multi-application embedded system having an execution environment comprising a virtual machine including an intermediate pseudo-code type language interpreter and an application programming interface (API). Supports one application that references a method or attribute reference in pseudocode encoded in at least 3 bytes corresponding to a reference to a class or external class, class number and method or attribute number in the module list When executing the intermediate pseudo code of the service module, the external reference of the module is interpreted by the virtual machine as a reference of the index of the API module in the list of one or more API modules. That.
[0037]
According to another feature, upon receiving a request to execute a service module having an identifier, the execution environment accesses an input class of the main module including the main program of the system, and the main module manages access to the service module. Install an instance of the API module special class "Access Manager" and use the methods of this class to request the service module via a table that associates an identifier with the module index in the list in which the module is referenced Can be instantiated, and the instance is returned to the main program by this method.
[0038]
Other features and advantages of the present invention will become more apparent upon reading the following description made with reference to the accompanying drawings.
[0039]
1-3, a method for implementing the present invention in a special type of embedded system, for example, but not limited to, a chip card or similar portable object will be described. A bytecode display or bytecode type program covers any pseudocode or intermediate program.
[0040]
The portable object comprises, for example, a chip card and has a structure similar to that described above with reference to FIGS. 4a and 4b, and in particular includes RAM, ROM, EEPROM. A special platform (60) and a conventional station (80) are shown in FIG. The special platform (60) has an execution environment (RE) that includes an API (62) and an embedded ("on-platform") virtual machine (61) in ROM. The special platform (60) is shown in FIG. 1 as containing a collection of ROM and EEPROM. Note that the special platform (60) specifically includes an execution environment (RE) and elements present in the EEPROM. The portable object has an operating system (63) in ROM. The API (62) existing in the ROM constitutes the basic API of the API platform, is loaded together with the embedded virtual machine, and operates the virtual machine.
[0041]
The portion (90) outside the portable object of the virtual machine includes an intermediate pseudo code checker (91), a converter (92), and possibly a signature device (94). The signing device sends a signature to validate the passage by checkers and converters. This signature is checked by the mobile object at the moment of loading. An application for complementing the basic API or loading of a new API into the EEPROM is performed by a loader. The loader can be composed of two parts called a downloader (93) and a part outside the portable object that can be installed in the virtual machine (90) outside the portable object, and a special platform part called the loader (68).
[0042]
According to the first embodiment, the special platform (60) includes two special modules, an API module (65) and a main module (66). The other module is called the service module (67). Each module corresponds to a set of packages stored in the same namespace. The API platform refers to a basic API (62) and a set of system classes that determine an API module (65) or API platform module. The main module includes a main class that determines a main program. Each module except the API module (65) has a specific single class called “entry class Entry Class” that constitutes an access point to the module. For the main module, this “entry class” is a main class (CP), and is a class including a static method called “main”. For a service module, it is a class that has only a configuration without parameters and implements a special public interface called “service” determined by the API platform. Application loading corresponds to service module loading. Each module receives a special identifier. Such a special identifier called MID can be, for example, a number, a string or a list. As an example, the identifier is a character string.
[0043]
When loaded into the platform by a different download mechanism than a special platform virtual machine, the module receives a number between 0 and n. Thus, according to this agreement, at most n + 1 modules can be present on a special platform. The module downloader (93) with the loader (68) maintains a module display list (TRM) (69) when loading a new service module. The number associated with the module is the index (IM) of this module in the list. The loader (68) also maintains a table (70) that associates an index (IM) with the identifier (MID) of each module. API module is index IM ₀ Systematically receives the number 0 for the main module index IM ₁ The number 1 is received. The header of each module determines whether the nature of the module is a “main” module, a “service” module, or an “API” module.
[0044]
The loader (68) can only load modules that are allowed to remain on the portable object, i.e. modules with signatures known to the portable object. Accordingly, the loader (68) includes means for checking the signature of the receiving module, comparing it with the known signature of the portable object, and blocking loading if the comparison is negative.
[0045]
Generally, as specified in the above prior art, the application source program (81) is written and then compiled by the compiler (82) and then checked by the checker (91).
[0046]
The static linking performed by a component called the converter linker in the converter (92) is
-A number (NCI) for each class of modules,
-A number (NM) for each method in the class,
Resolve symbol references by assigning a number (NA) for each attribute of the class.
[0047]
These numbers (NCI, NM, NA) are 0-n and can be indicated in bytes. For example, each number is 0-255 (n = 255). References to class methods or attributes are thus encoded in pseudocode linked in 2 bytes to the module method. The pseudo code includes “NCI” for these 2-byte classes, “NA” for attributes, or “NM” for methods.
[0048]
According to FIG. 3, the internal display of the API module (65), main module (66) or service module (67) includes a class display list (TRC). The number (NCI) associated with each class by the linker outside the embedded system is the index (ICi) of the display of this class in the class display list (TRC). Each class also has a reference to the module index (IMi). Similarly, the display of each class includes a method display list (TRMe) and an attribute display list (TRA) belonging to the class. The number (NM) associated with each method by the linker outside the embedded system is the index (IMi) of the display of this method in the method display list (TRMe), and the number associated with each attribute by the linker outside the embedded system. (NA) is an index (IAi) of display of this attribute in the attribute display list (TRA).
[0049]
For example, when a system class corresponds to a class in the traditional platform “classpath”, the module attempts to reference only its own class and the system class of the API platform. According to the present invention, an internal (II) or external (IE) indicator is used to identify a method or attribute in order to be able to distinguish between a module internal class reference and a system class (or module external class) reference. Appended to the reference. The resolved reference is then encoded with 3 bytes of “IE / II”, “NCI”, “NM” or “IE / II”, “NCI”, “NA”.
[0050]
According to the agreement above, for the value n of the first byte “IE / II”, this value, which in the example is 255, corresponds to the internal reference “II” of the module, and for the first byte Any other value corresponds to the module's external reference “IE”.
[0051]
The linker of the converter (92) of the virtual machine (90) outside the portable object first links the API module (65) which does not have the external reference “IE” in the pseudo code, and class and method and attribute symbols. Generate an arrangement or configuration corresponding to the name plan. When linking other modules, this arrangement is used to set an external reference to the system class of the API module (65).
[0052]
According to the byte convention of the present invention for encoding references, the API module has a maximum of 256 (n + 1) classes, and each additional module has 256 classes.
[0053]
When the service module is executed, when the virtual machine (61) knows the class “NCI” with the reference and refers to the method “NM” or the attribute “NA” in the pseudo code, the virtual machine is indexed of the module involved. “IMi” can be found directly and this module corresponds to an external reference (IE) or internal reference (II). Any external references (IEs) in the service module pseudo code are systematically interpreted by the virtual machine as API module references. The service module or main module cannot refer to any other module class except the API module class. The system class of the API module cannot refer to the service module or the main module class. The internal reference of the module class corresponding to the value n for the first byte need not know a priori the namespace assigned to the module. By not determining the fixed namespace a priori during the conversion phase, reference resolution can be accelerated and the module namespace can be determined during loading after the conversion phase. The virtual machine uses three consecutive indexes “IE / II”, “NCI”, “NM” or “IE / II”, “NCI”, “NA” when interpreting attribute or method references in pseudo code. Since the memory space of the module has been determined, the index “NCI” determines the desired entry in the module's class list (TRM), and then the last index “NM” or “NA” picture, method list (TRMe) ) Or attribute list (TRA).
[0054]
The API module includes a special class (64) called the “access manager” class, which is a unique method that serves to return an instance object of the requested service module input class from the module identifier (MID). (GetServiceInstance). This method uses the MID / IMi association table (70) to know the index of the module requested in the module list (69), then creates an instance of the input class for this module, return. In accordance with the present invention, the “Access Manager” class (64) is protected by design with a method consisting of prohibiting the class from having one or more instances. The unique method (getServiceInstance) belongs to the main program included in the main module. The main module that is activated first when using a portable object creates one instance and one “access manager” class, so this module can use the getServiceInstance method, For any service, creation of other instances to use this method is prohibited.
[0055]
The execution environment (RE), when activated, accesses the input class (EC) of the main module and activates the input method (main), as in the conventional platform. Since the main module is activated first, it installs an instance of the “Access Manager” class before any other services. This is because the main module must already have such an instance of the access class in order to operate other services.
[0056]
Such a simple device can recreate the protective effect coupled with the concept of the namespace of the conventional platform. The service module is loaded into the module list and the virtual machine interprets the presence of all external references in the pseudocode as API module references, so this module is never directly accessed by other modules. , Completely separated.
[0057]
The first embodiment described above provides an advantage that separation (PARE-FEU) can be obtained by separation of name spaces in the situation of a virtual machine having two parts. However, this embodiment is not flexible and has the following two drawbacks.
[0058]
First, any pre-linked modules prevent any modification or extension of the system class. The conventional “Java” architecture can modify and extend the API platform classes without affecting the already compiled classes of the additional modules. However, in the above embodiment, any modification of the system class will modify the configuration of the API platform, even if it is not displayed for foreign modules, and each link already linked to the traditional version of the configuration. Since it modifies the pre-linked pseudo code of the module, it is therefore necessary to modify the interpreter.
[0059]
Secondly, since pre-linked modules are assumed to be portable between various embedded platforms or terminals, each of these platforms must have the same configuration as the API platform, Extended use by any owner is prohibited.
[0060]
In order to partially eliminate these drawbacks, a variant of the first embodiment consists of imposing the public class first and before the private package class in the order of the number of placements. In addition, public methods or public attributes come before protected methods or attributes and methods or attributes in private packages and classes. Thereby, a new public class can be freely added to the API module (65).
[0061]
FIG. 2 shows a second embodiment in which the API platform can be developed. Instead of being composed of a single API module, the API platform is composed of a plurality of API modules (100) that can be loaded separately.
[0062]
In this embodiment, the downloader (93) and the virtual machine correspond to the service module (67) and the main module (66) instead of one each, and for the API module, the list (101). For the association table (102) and the non-API module, the two module lists of the list (103) and the association table (104) and the two MID / index association tables are shared.
[0063]
Each module has an indicator “service” or “API” in its header that allows the loader to load the module into a list of API modules (101) or a list of non-API modules (103). This indicator is placed in the header of the module during the compilation phase by the converter.
[0064]
The separation consisting of namespace separation (PARE-FEU) exists only between non-API modules. Any external reference to the service module is interpreted by the embedded virtual machine interpreter as an index into the list of API modules.
[0065]
Non-API modules are numbered from 0 to a maximum of 255 in the n = 255 example, where 0 is the index of the main module (66), for example. The API module (100) is numbered from 0 to a maximum of 254, where 0 is, for example, the index of the so-called primary API module and includes any unique methods. According to the above agreement, this allows up to 255 (n) different modules on the API platform. A method or attribute reference in the pseudo code is as follows:
[0066]
"" IE / II "" NCI "" NM / NA ""
The value 255 (n) for the first byte indicates the internal reference of the module, as in the first embodiment. Each value different from 255 indicates an external reference of the special module (100) in the API module list of the API platform.
[0067]
After linking is performed by the off-platform linker (92), the module pseudo-code includes a header with a reference module list that is used to link the current module. The reference module list includes a maximum of 255 inputs, each input corresponding to an identifier (MID) of the API module (100). In that case, the first byte of the external reference in the pseudo code is the index in this list. Since the index number associated with the API module (100) is known when loading into the non-API module platform (67, 66), the first byte of the external reference is the MID- of the API module (100). By using the IMi association table (102), the index number associated with the referenced API module is substituted. Such an alternative is a single linking operation performed by the loader (68) on a special platform, and the MID / IMi association table (102) is only used to perform this linking operation.
[0068]
For example, in the pseudo code of the service module “TEST”, it is assumed that the method number 5 of the API module class number 7 is referred to and the identifier (MID) is “F00”. Further, it is assumed that “F00” is an identifier of the fourth API external module referred to by the service module “TEST”. In that case, the reference in the pseudo code consists of three values 3, 7, 5.
[0069]
The number 3 corresponds to the fourth index in the reference module list existing in the header of the module sent to the beginning of the pseudo code, and the value of this input is the identifier (MID) “FOO”. Assume that when loading the API module “FOO”, the internal index 34 has been assigned to the target platform in the API module association table (102). In that case, the loader (68) modifies the reference with the pseudo code of the service module “TEST” using the association table (102) so that it becomes 34, 7, and 5.
[0070]
During execution of the module pseudocode, the module's external reference is systematically interpreted as input in the API module table by the virtual machine. The modules in the non-API module list are hidden from each other and to the API modules. Such a simple device can recreate the protective effect coupled with the concept of the namespace of the conventional platform. By simply loading the module into the non-API module list, this module is never accessed directly from other modules and is completely separated.
[0071]
The list of API modules (101) includes a special module (105) called the “API access” module. This module includes a unique method (getServiceInstance) that serves to return an instance object of the input class of the requested service module. This method uses the MID / IMi association table (104) to know the index of the service module requested in the non-API module list (103), then instantiates the input class of this module and This instance is returned by the method of. The recommended safe practice is to form a protected class from the "Access Manager" class that declares the designers and methods protected. Furthermore, the “API access” module (105) has an “access manager” class. More than one Includes protection consisting of prohibiting having instances. This method is dedicated to the main program obtained in the main module (66). Since the first activated primary module creates an instance of the access manager module, this module can use the getServiceInstance method, but all other services are prohibited from creating other instances to use this method. It is done. Thus, the main module can create a service instance.
[0072]
Several methods can be used to obtain this protection, which consists in prohibiting the “access manager” class from having only one instance. The class designer, for example, can block an instance creation request if one already exists and start a safety exception. The execution environment (RE), in operation, accesses the input class of the main module (66) and activates the input method (main). Since the main module is activated first, it installs an instance of the “Access Manager” class before any other services.
[0073]
In order to allow service modules to work with other service modules, these strict safety measures are modified to add public classes to the “access manager” class of the API access module (105), where every module Requests may be made. These public classes include, among other things, static methods that can yield a single instance. A module that accesses an instance object of the "Access Manager" class can run and use another service module, but a direct reference to that class, method or attribute requires a reference by the virtual machine. is necessary. This is because all external references in the pseudo code are internal references of this module or external references of the API module.
[0074]
To easily implement this solution, it is necessary to avoid having circular references in the API module. Thus, the temporary closure of the relationship “refers to” must be in the reverse, partly reverse order, in the module set. Thus, in the converter (92) linker, a simple policy is designed in the converter (92) linker to combine and generate API module configurations by first processing the minimal elements that are not yet linked. can do. The same policy based on partial order can be followed for downloading API modules, so when downloading module M, all referenced modules are already downloaded, and numbers are assigned to them. Yes. The internal index assignment in the target platform is made by the module loader (68) by assigning the index n-1 to the nth order API. An API module cannot reference another API module with a larger index.
[0075]
By using this system with duplicated module lists (101, 103) and association tables (102, 104), a single API module can be easily replaced by multiple API modules that can be loaded separately. By replacing a single API module with multiple API modules, the API platform can be extended with new modules without changing the assembly of already loaded modules and without changing the security provided by separation. it can. Of course, the two embodiments are not compatible. Modules must be pre-linked specifically to any of the embodiments, and the pseudocode for one embodiment is not supported on the platform that implements the other embodiment. Moreover, the interpreter of the virtual machine differs depending on the embodiment. In the first embodiment, the virtual machine operates only one list and one association table. The first byte of the reference is interpreted by the virtual machine as an internal reference for all values equal to n and as a single API module external reference for all values different from n. In the second embodiment, the virtual machine operates two lists and two association tables. The first byte of reference in the pseudo code is interpreted by the virtual machine as an internal reference for all values equal to n, and all values different from n are considered directly as indexes in the API module list. In two embodiments, a virtual machine interpreter compares a first byte of 3 bytes that encodes a method or attribute reference with a predetermined value n and relates to an internal class of a module or to an external class. To decide. The order of the API modules is determined next to loading, so that external references in the pseudo code can be fixed finally and very simply.
[0076]
The same mechanism is used to operate the two types of modules, although the methods used and the resulting security are quite different. All modules have free access to the API module because the class is a system class. The use of a modular approach is used with service modules to obtain a strict separation that protects these modules from any direct access.
[0077]
The method according to the invention can be implemented with any type of form object with small resources, for example 16ko ROM, 8ko EEPROM, 256k RAM.
[0078]
Other modifications that can be understood by those skilled in the art are also part of the intent of the present invention.
[Brief description of the drawings]
FIG. 1 is a diagram schematically showing various elements necessary for loading a form object according to the first embodiment.
FIG. 2 is a diagram schematically showing various elements necessary for loading a form object according to the first embodiment.
FIG. 3 is a diagram showing the inside of a module.
FIG. 4a is a diagram showing a conventional configuration of a chip card.
FIG. 4b is a diagram showing a system necessary for the configuration of a virtual machine incorporated in a chip card according to the prior art.
FIG. 4c is a diagram showing the structure of an application class.

Claims (15)

From the station where the application source code is written, compiled as pseudo code by the compiler (82), checked by the checker (91), converted by the converter (92), and loaded by the loader (93, 68), intermediate pseudo A method of loading an application into an embedded system having an execution environment with a virtual machine including an interpreter for a code type language and an application programming interface (API), comprising:
The conversion includes a static linking implementation of multiple sets of packages called modules, configured to be stored in the same namespace of the embedded system, assigning an identifier (MID) to each module by the converter, and assigning the module class Assign a reference number (NCI) to each class (NCI), each method (NM), and each attribute (NA) that enters
References to methods or attributes in pseudocode linked to modules include module internal class (II) or external class (IE) reference, class number (NCI), method number (NM) or attribute number (NA) Are encoded with 3 bytes consisting of an indicator indicating
The loaded modules are one or more application programming modules, each containing a system class or service module corresponding to one application, and the external class reference (IE) is a virtual machine as a reference to the application programming interface module. A method characterized by being interpreted by: Load modules to the embedded system comprises a while the storage of the list (69,101,103) which represents the module number between index modules in the list of 0~n associated with the module by the linker (IMi) and including storage of tables (70, 102, 104) that store display module index associations of the identifiers (MIDs) of the modules, the lists and tables from a non-volatile programmable memory The external reference (IE) to the external module in the pseudo code is interpreted by the virtual machine interpreter as constituting an index equivalent to the index of the list of modules. Application to embedded system De way.   The load includes, for each module, storage of a display list of classes (TRC), including a reference to the index of the module, and for each class, storage of display lists of attributes (TRA) and methods (TRMe). The method of loading an application into the embedded system according to claim 2, wherein the application is loaded.   A module is referenced in a single module list, a system class is contained in a single API module, and any reference to an external class different from n in the pseudo code is interpreted by the virtual machine as a reference to the API module The method of loading an application into an embedded system according to claim 2, wherein:   A class is declared public or declared as a private package, attributes and methods are declared protected as private packages or private classes, and the class number order 5. The order of attributes or methods is performed by the converter (92) in order of public or private package protected and private class protected attributes or methods. To load an application into an embedded system.   The system class is contained in a plurality of API modules that can be loaded separately, and the loader (68) holds two display lists of the module and two association tables MID / Imi corresponding to the nonvolatile programmable memory. One for an API module and the other for a non-API module, where the loader is one of two lists depending on the nature of the module specified in the header, a list of API modules or a non-API module 3. A method for loading an application into an embedded system according to claim 2, wherein the module is loaded into a list of modules, and any external reference of a module in the module list is interpreted as a reference to an index of an API module. Module static linking is performed by the loader, and the module pseudocode includes a header with a list of referenced modules used to link the current module, each entry in the list being an API module identifier ( corresponding to mID), reference to an external class non API module in the intermediate pseudocode is an index in the list, loading of non-API module to the target platform, the API module mID / IMi association table identifier (mID 7. The method of loading an application into an embedded system according to claim 6, including replacement of the reference by an API module index number obtained from (1).   An embedded system including a virtual machine, an API platform including an application programming interface, a nonvolatile ROM, a nonvolatile programmable or modifiable memory, and a RAM, wherein the nonvolatile programmable memory is a system class And at least one API module including the service module, at least one module display list (TRM) indexed to the module, and a table that associates the module index (IM) of the display list with the module identifier (MID). Each module includes a class display list (TRC) in which each class is indexed and each class has a reference to its index (IM), The class contains a display list of attributes (TRA) and methods (TRMe) indexing attributes and methods, where the method or attribute reference corresponds to the module's internal class (II) or external class (IE) reference The module external reference constitutes an API module index in the module list, the class number (NCI) corresponds to the class index in the module class display table, and the method (NM ) Or attribute (NA) number corresponds to the method or attribute index in the module class method or attribute display table.   Comparing means for comparing a first byte of 3 bytes that encodes a reference to a method or an attribute with a predetermined value n to determine whether it is related to an inner class or an outer class Item 9. The embedded system according to Item 8.   The embedded system according to claim 8, further comprising a main module including a main program of the system.   The class is indexed in the order of the public class, then the private package class, and the attributes or methods are public attributes or methods, protected attributes or methods, private package attributes or methods, and attributes or attributes in the private class. 9. The embedded system of claim 8, wherein the system is indexed in order of method.   A plurality of API modules including a system class and two module display lists (101, 103), one for the API module and the other for the non-API module and the main module, and two corresponding to the module display list The embedded system according to claim 11, characterized in that the non-volatile programmable memory includes the MID / IMi association table (102, 104).   It includes an access manager class “access manager” of the API module (105) including methods capable of instantiating a service module via a main module, and the class “access manager” is the class “access manager”. The embedded system of claim 10, comprising protection that prohibits having more than one instance.   A method for executing an application of a multi-application embedded system having an execution environment including a virtual machine including an interpreter of an intermediate pseudo code type language and an application programming interface (API), the module internal class (II) Or a reference to an external class (IE) and a method or attribute reference in pseudocode encoded with at least 3 bytes corresponding to the class number (NCI) and the method (NM) or attribute number (NA). When executing the intermediate pseudo code of the service module corresponding to one application that is referred to in the module list, the external reference of the module is referred to the API module index in the list of one or a plurality of API modules by the virtual machine. Is interpreted Te, it interpreted intermediate pseudocode method characterized in that it is executed by the microprocessor.   When the execution request of the service module having the identifier (MID) is received, the execution environment accesses the input class of the main module including the main program of the system, and the main module manages the special access to the service module. By installing an instance of the class "Access Manager" and using the methods of this class, the input class of the requested service module's input class is passed through a table that associates an identifier with the module's index in the list in which the module is referenced. 15. The application execution method of a multi-application embedded system according to claim 14, wherein an instance can be generated, and the instance is returned to the main program by the method.

Images